Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 10:43
Static task
static1
Behavioral task
behavioral1
Sample
HEpu SWIFT.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
HEpu SWIFT.exe
Resource
win10v2004-20240419-en
General
-
Target
HEpu SWIFT.exe
-
Size
825KB
-
MD5
e6a12fc71511e3aa16c523bc6f1c6beb
-
SHA1
e6893d94c0b4e898b9d491610ea679112942c2c5
-
SHA256
7c734ef576fc3a9ef020c19f95dbb7f14225393ee9a0e0054bb10de5ec7ec2f0
-
SHA512
63e1cdd4bce8b782acdefded193bb8cca242bbc1d524e83fb6d5ce1c8760420c3f7eccef25b23c9a238688ae9b5206b6998da8a980113cdb005cbf24d621f55c
-
SSDEEP
12288:NrqnHvjNIrpf9rN/mc/C6AgGXsEdBgEYviJqienJYUTQdXsw6E5sAQ3cwFqZu6Qr:NePjKr5BNDnACKJJIYsAQ3chw8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.jspkragujevac.rs - Port:
587 - Username:
[email protected] - Password:
LA5dv##fbU%5 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEpu SWIFT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NcnBt = "C:\\Users\\Admin\\AppData\\Roaming\\NcnBt\\NcnBt.exe" HEpu SWIFT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 5 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HEpu SWIFT.exedescription pid process target process PID 2424 set thread context of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
HEpu SWIFT.exepowershell.exepid process 2752 HEpu SWIFT.exe 2752 HEpu SWIFT.exe 2716 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEpu SWIFT.exepowershell.exedescription pid process Token: SeDebugPrivilege 2752 HEpu SWIFT.exe Token: SeDebugPrivilege 2716 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
HEpu SWIFT.exedescription pid process target process PID 2424 wrote to memory of 2716 2424 HEpu SWIFT.exe powershell.exe PID 2424 wrote to memory of 2716 2424 HEpu SWIFT.exe powershell.exe PID 2424 wrote to memory of 2716 2424 HEpu SWIFT.exe powershell.exe PID 2424 wrote to memory of 2716 2424 HEpu SWIFT.exe powershell.exe PID 2424 wrote to memory of 2596 2424 HEpu SWIFT.exe schtasks.exe PID 2424 wrote to memory of 2596 2424 HEpu SWIFT.exe schtasks.exe PID 2424 wrote to memory of 2596 2424 HEpu SWIFT.exe schtasks.exe PID 2424 wrote to memory of 2596 2424 HEpu SWIFT.exe schtasks.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe PID 2424 wrote to memory of 2752 2424 HEpu SWIFT.exe HEpu SWIFT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEpu SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\HEpu SWIFT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\brirwbdh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\brirwbdh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\HEpu SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\HEpu SWIFT.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmpFilesize
1KB
MD56b49c1d5294f015aca9c2c6af3904f65
SHA13faace3f85a5c5b9477fcdf1622774c45523a5fd
SHA2561798f7066f3a1fe7e903f5cb3642105ef381f5956234ed9a6ae2c55ccec14b88
SHA51230e4590bf88e7818597f67defa6ca03269736593de6191702eef0d8c87767111c1908085587730a4746511653525ca581588c97ced5f8f644b3b7fcc860e5676
-
memory/2424-0-0x00000000009E0000-0x0000000000AB4000-memory.dmpFilesize
848KB
-
memory/2424-1-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/2424-2-0x0000000004ED0000-0x0000000004F10000-memory.dmpFilesize
256KB
-
memory/2424-3-0x0000000000340000-0x0000000000360000-memory.dmpFilesize
128KB
-
memory/2424-4-0x00000000003B0000-0x00000000003C4000-memory.dmpFilesize
80KB
-
memory/2424-5-0x0000000004F50000-0x0000000004FD4000-memory.dmpFilesize
528KB
-
memory/2424-25-0x0000000073F80000-0x000000007466E000-memory.dmpFilesize
6.9MB
-
memory/2752-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2752-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2752-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2752-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2752-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2752-17-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2752-15-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2752-13-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB